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Abstract. The discrete logarithm problem is one of the backbones in 
public key cryptography. In this paper we study the discrete logarithm 
problem in the group of circulant matrices over a finite field. This gives 
rise to secure and fast public key cryptosy stems. 
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<n : 

1. Introduction 

Menezes and Wu [5] claim that working with the discrete logarithm prob- 
lem in matrices offers no major improvement from working with a finite 
q \ field. Many authors, including myself [3||, repeated that claim. It is now 

a common knowledge that for practical purposes, the discrete logarithm 
problem in non-singular matrices is not worth looking at. 
; In this note, I provide a counterexample to the above mentioned common 

knowledge and show that matrices can be used effectively to produce a fast 
■ and secure cryptosystem. This approach can be seen as working with the 

lO ■ MOR cryptosystem flU, with finite dimensional vector spaces over a finite 

field. 

O ■ In this note, we will only deal with the discrete logarithm problem in 

>• . matrices, i.e., given a non-singular d x d matrix A and B = A m over ¥ q , 

compute m; where q is a power of a prime p. One can easily build any cryp- 
tosystem that uses the discrete logarithm problem, like the Diffie-Hellman 
key exchange or the ElGamal cryptosystem, using the discrete logarithm 
problem in matrices. There are many aspects to the security of a cryp- 
tosystem. In this paper we will only deal with the computational aspects of 
solving a discrete logarithm problem. 

The core of the Menezes-Wu algorithm is to compute the characteristic 
polynomial Xa(x) of A. The eigenvalues of A, which are the roots of Xa(%) 
belong to the splitting field of Xa(x). The roots of Xb(x) also belong to the 
same splitting field. Then to solve the discrete logarithm problem, one has 
to solve the individual discrete logarithm problems in the eigenvalues and 
then use the Chinese remainder theorem. The security of the discrete loga- 
rithm problem depends on the degree of the extension of the splitting field. 



Since solving a discrete logarithm problem depends on the size of the field, 
we can get excellent security by taking d large (around 20) and choose A 
such that xa{ x ) is irreducible. However, in that case matrix multiplication 
becomes very expensive and we are better off working with the finite field 
F q d. This is the argument of Menezes and Wu [|5]|. 

In this paper, we deal with a particular type of non-singular matrices - 
the circulant matrices. We show, that for these matrices, squaring is free 
and multiplication is easy. When this is the case, the above argument is no 
longer valid and we have a good chance of a successful cryptosystem. Us- 
ing the extended Euclidean algorithm, computing the inverse of a circulant 
matrix is easy, that makes a cryptosystem built on circulant matrices very 
fast and secure. 

When working with the discrete logarithm problem in matrices, one should 
be careful of the fact that the determinant of a matrix is a multiplicative 
function to the ground field. This can always reduce the discrete logarithm 
problem in matrices to a discrete logarithm problem in the ground field. 
This can be easily avoided by: 

(i) Choose A such that determinant of A is 1. 

2. Circulant Matrices 

The reader is reminded that all fields (often denoted by F) are finite with 
characteristic p. 

Definition 1. A d x d matrix over a field F is called circulant, if every 
row except the first row, is a right circular shift of the row above that. So a 
circulant matrix is defined by its first row. One can define a circulant matrix 
similarly using columns. 

Even though a circulant matrix is a two dimensional object, in prac- 
tice it behaves much like an one dimensional object given by the first row 
or the first column. We will denote a circulant matrix C with first row 

c , Ci, . . . , c rf _i by C = circ (c , Ci, c 2 , . . . , c d _i). An example of a circu- 
lant 5x5 matrix is: 
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It is easy to see that all the (sub)diagonals of a circulant matrix are constant. 
This fact comes in handy. Let W = circ(0, 1, 0, . . . , 0) be a d x d circulant 
matrix, then clearly W d = I. We can write C = c I + c{W + c 2 W 2 + . . . + 
Cd-iW 1 ' 1 . One can define a representer polynomial corresponding to the 
circulant matrix C as (j>c = co + cix + C2X 2 + . . . + Cd-ix d ~ 1 . This shows that 
the circulants form a commutative ring with respect to matrix multiplication 
and matrix addition and is isomorphic to (the isomorphism being matrix to 

Fix] " „ 

representer polynomial) — ; . For more on circulant matrices, see yj. 

x d — 1 



2.1. How easy is it to square a circulant matrix? 

Let A = circ(ao, a±, . . . , aa-i) be a circulant matrix over a field of charac- 
teristic 2. We show that to compute A 2 , we need to compute a 2 for each i 

in {0, 1,2, ... ,d - 1}. Then A 2 = circ (a£ (0) ,a* (1) . . . , a*^), where tt 
is a permutation of 0, 1, 2, . . . , [d — 1). This was also observed by Silver- 
man [8, Example 3]. 

Theorem 2.1. If the characteristic of the field F is 2, and d is an odd integer, 
then squaring a d x d circulant matrix A is the same as squaring d field 
elements. 

Proof. We use the standard method of matrix multiplication; where one 
computes the dot product of the i th row with the j th column for the element 
at the intersection of the i th row and the j th column of the product matrix. As 
we saw before the circulant matrices are closed under multiplication and a 
circulant matrix is given by its first row. 

Taking these into account, if the circulant is A = circ (a , ai, . . . , a^-i), 
we see that the first element of the first row of the product, is the dot product 
of (a , ai, . . . , a<f_i) with the first column (a , a^-i, • • • , ai) • The first col- 
umn can be thought of as the map a, i— ► a_j mo d d for i = 0, 1, . . . , (d — 1). 

For each j in {0, 1, 2, . . . , d — 1}, the map is given by aj i— ► Oj_j mo d d- 
Now notice that if z i — > j — i mod d, then j — i i— > i mod d. This proves 
that there are pairs formed in the dot product, which makes it zero when 
working in characteristic 2. 

The only thing that escapes forming pairs, are those i, for which i = 
j — i mod d. Since d is odd, there is an inverse of 2 mod d and an unique 
solution for i. • 
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It is easy to see from the above proof, that once a d is fixed, one can easily 
compute the permutation n. The computation of d different powers can be 
done in parallel. 



3. The discrete logarithm problem in the group of 
non-singular circulant matrices 

As we saw before, circulant matrices can be represented in two different 

ways - one as a circulant matrix and other as an element of the ring 1Z = 

Fix] 

— . In the later case, each element of 1Z is a polynomial of degree d — 1 

x d — 1 

in F. The polynomial multiplication in 1Z can be done (in parallel) using 
matrix multiplication. If matrix multiplication is used to do the polynomial 
multiplication, then there is no need to do the reduction mod x d — 1. 

These two representations lead to two different kinds of attack to the 
discrete logarithm problem: 

(a) The discrete logarithm problem in matrices. 

(b) The discrete logarithm problem in 1Z. 



3.1. The discrete logarithm problem in matrices. As we understood from 
Menezes and Wu [5], solving the discrete logarithm problem in non-singular 
matrices is tied to the largest degree of the irreducible component of the 
characteristic polynomial. The best case scenario happens when the char- 
acteristic polynomial is irreducible. For circulant matrices this is not the 
case. 

It is easy to see that the row-sum, sum of all the elements in a row, is 
constant in a circulant matrix. This makes the row-sum an eigenvalue of the 
matrix. Since this eigenvalue belongs to the ground field, the only way to 
escape a discrete logarithm problem in the ground field is to make sure that 
the eigenvalue, i.e., the row-sum, is 1. So the circulant matrix A should be 
chosen with the following properties: 

(ii) The matrix A has row-sum 1. 

(iii) The polynomial -^ A — is irreducible. 

x — 1 

In the above case the security of the discrete logarithm problem in A is 
similar to that of the discrete logarithm problem in the finite field ¥ q d-i. 

4 



3.2. The discrete logarithm problem in , . Notice that 

x d — 1 

¥ g[ x ] ~ x FJs] 

x d — 1 x — 1 ' 

x d — 1 

where ^(x) = andgcd(<i, = 1. So the discrete logarithm problem 

x — 1 

F Ixl 

in — ^ — reduces into two different discrete logarithm problems, one in the 

x d — 1 

F [x] 

field F„ and the other in the ring q The matrix A can be chosen in 

ip{x) 

such a way that the representer polynomial 4>a{x) m od (x — 1) is either 
or 1 and hence reveals no information about the secret key m. If ip(x) 

is irreducible, then the discrete logarithm problem is a discrete logarithm 

WJx] 

problem in the field . Hence the security of the discrete logarithm 

ip(x) 

problem is the same as that of the discrete logarithm problem in ¥ q d-i. 

The question remains, when is ip(x) irreducible? We know that [2, The- 
orem 2.45], x d — 1 = Yl ^di{x), where $fc(x) is the k th cyclotomic poly- 

di\d 

nomial. It follows that if d is prime, then ip(x) = &d(x)- Then the question 
reduces to, when is the cf h cyclotomic polynomial irreducible, for a prime 
dl It is known [2, Theorem 2.47] that the d th cyclotomic polynomial $d(x) 
is irreducible over ¥ q if and only if q is primitive mod d. 

We summarize the requirements on A, such that the discrete logarithm 
problem is as secure as the discrete logarithm problem in ¥ q d-i. 

(iv) The integer d is prime. 

(v) The representer polynomial cj)A (x) mod (x — 1) is either or 1. 

(vi) q is primitive mod d. 

4. Why use the discrete logarithm problem with d x d 

CIRCULANT MATRICES OVER ¥ g INSTEAD OF F gd ? 

A quick answer to the above question is that multiplication in 1Z, which 
is isomorphic as algebra to d x d circulant matrices over ¥ q , can be much 
faster! 

In implementing the exponentiation in any group, the best known method 
is the famous square -and-multiply algorithm. Using normal basis [2, Defi- 
nition 2.32], in a finite field of characteristic 2, squaring is cheap; it is just 
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a cyclic shift of the bits. In our case, using Theorem 12. 1[ it is not a cyclic 
shift but a permutation. How about multiplication? 

The details of the complexity of multiplication is bit involved, but well 
studied. So we can skip the details here, and refer the reader to [|6l[8]|. The 
best case complexity for multiplication in a finite field, using normal basis, 
is using an optimal normal basis [|6l Chapter 5]. In that case, the complexity 
of multiplication in the field F 2 d is 2d—l [|6l Theorem 5.1]. In the case of 7Z, 
that complexity reduces to d flU Example 3]. In 1Z we get security of F 2 d-i. 
So there is an obvious advantage of working with circulant matrices than 
with finite fields - the complexity of computing the exponentiation reduces 
to almost half with only one extra bit. 

Lastly, one can use the extended Euclidean algorithm to compute the 
inverse of a representer polynomial in 1Z. In an ElGamal like cryptosystem, 
one needs to compute that inverse. This will make decryption fast. 

5. Conclusions 

In this paper we study a discrete logarithm problem in the ring of circu- 
lant matrices. If the matrices are of size d, then we saw that under suitable 
conditions, the discrete logarithm problem is as secure as the discrete log- 
arithm problem in ¥ q d-i. Since multiplying circulant matrices is easier, the 
discrete logarithm problem in circulant matrix is obviously better than the 
discrete logarithm problem in a finite field. 

There is not much history of looking at matrices for better (more secure) 
discrete logarithm problem. In this note the isomorphism of the circulant 
matrices with the algebra 1Z has reduced the central issue of this work to 
that of implementation of finite fields. One way to look at TZ, and this study 
of the discrete logarithm problem in 71; the finite field F„d-i is embedded 
in 1Z. Though this is a valid way of looking at the present situation, it is not 
the whole view. For example, the issue with row-sum won't be transparent, 
unless one chooses to look at matrices. Also this opens up the possibility 
that there can be other matrices, in which we can do much better with the 
discrete logarithm problem. 
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